An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to the breach after it was able to access the information online. The company determined that a third-party contractor improperly copied protected company data to its unsecured network.
The company notified its regulator, the Western Electricity Coordinating Council, of the incident. A subsequent investigation revealed the company failed to apply its information protection program to the exposed protected information. The company also failed to ensure its contractor followed its information protection program. The company indicated that it believed it unlikely the data was accessed or acquired during the time it was available online. Regulators were not as optimistic. In its penalty notice to the Federal Energy Regulatory Commission, the North American Electric Reliability Corp. noted that there was no assurance the data was not already used or acquired by a malicious actor.
Putting it Into Practice: This case is a reminder that when incidents occur, regulators may take aggressive positions about the level of protections a company had -or should have had- in place. This holds true not just for regulator expectations about internal controls, but third party controls as well.